mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Add CI Installation steps and correct markdown lint errors
This commit is contained in:
parent
8c09a83248
commit
97bc137c5b
1 changed files with 74 additions and 60 deletions
84
README.md
84
README.md
|
@ -1,42 +1,56 @@
|
|||
|
||||
|
||||
## gosec -Golang Security Checker
|
||||
# gosec - Golang Security Checker
|
||||
|
||||
Inspects source code for security problems by scanning the Go AST.
|
||||
|
||||
<img src="https://securego.io/img/gosec.png" width="320">
|
||||
|
||||
|
||||
### License
|
||||
## License
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
||||
|
||||
### Project status
|
||||
## Project status
|
||||
|
||||
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
|
||||
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
|
||||
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
|
||||
|
||||
## Install
|
||||
|
||||
### Install
|
||||
### CI Installation
|
||||
|
||||
```bash
|
||||
# binary will be $GOPATH/bin/gosec
|
||||
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
|
||||
|
||||
# or install it into ./bin/
|
||||
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||
|
||||
# In alpine linux (as it does not come with curl by default)
|
||||
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||
|
||||
gosec --help
|
||||
```
|
||||
|
||||
### Local Installation
|
||||
|
||||
`$ go get github.com/securego/gosec/cmd/gosec/...`
|
||||
|
||||
### Usage
|
||||
## Usage
|
||||
|
||||
Gosec can be configured to only run a subset of rules, to exclude certain file
|
||||
paths, and produce reports in different formats. By default all rules will be
|
||||
run against the supplied input files. To recursively scan from the current
|
||||
directory you can supply './...' as the input argument.
|
||||
|
||||
#### Selecting rules
|
||||
### Selecting rules
|
||||
|
||||
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
||||
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||
|
||||
##### Available rules
|
||||
### Available rules
|
||||
|
||||
- G101: Look for hard coded credentials
|
||||
- G102: Bind to all interfaces
|
||||
|
@ -64,8 +78,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
|||
- G504: Import blacklist: net/http/cgi
|
||||
- G505: Import blacklist: crypto/sha1
|
||||
|
||||
|
||||
```
|
||||
```bash
|
||||
# Run a specific set of rules
|
||||
$ gosec -include=G101,G203,G401 ./...
|
||||
|
||||
|
@ -73,12 +86,12 @@ $ gosec -include=G101,G203,G401 ./...
|
|||
$ gosec -exclude=G303 ./...
|
||||
```
|
||||
|
||||
#### Excluding files:
|
||||
### Excluding files
|
||||
|
||||
gosec will ignore dependencies in your vendor directory any files
|
||||
that are not considered build artifacts by the compiler (so test files).
|
||||
|
||||
#### Annotating code
|
||||
### Annotating code
|
||||
|
||||
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
||||
|
||||
|
@ -107,16 +120,17 @@ In some cases you may also want to revisit places where #nosec annotations
|
|||
have been used. To run the scanner and ignore any #nosec annotations you
|
||||
can do the following:
|
||||
|
||||
```bash
|
||||
gosec -nosec=true ./...
|
||||
```
|
||||
$ gosec -nosec=true ./...
|
||||
```
|
||||
#### Build tags
|
||||
|
||||
### Build tags
|
||||
|
||||
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
|
||||
They can be provided as a comma separated list as follows:
|
||||
|
||||
```
|
||||
$ gosec -tag debug,ignore ./...
|
||||
```bash
|
||||
gosec -tag debug,ignore ./...
|
||||
```
|
||||
|
||||
### Output formats
|
||||
|
@ -125,34 +139,35 @@ gosec currently supports text, json, yaml, csv and JUnit XML output formats. By
|
|||
results will be reported to stdout, but can also be written to an output
|
||||
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
|
||||
|
||||
```
|
||||
```bash
|
||||
# Write output in json format to results.json
|
||||
$ gosec -fmt=json -out=results.json *.go
|
||||
```
|
||||
### Development
|
||||
|
||||
#### Prerequisites
|
||||
## Development
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Install dep according to the instructions here: https://github.com/golang/dep
|
||||
Install the latest version of golint: https://github.com/golang/lint
|
||||
|
||||
#### Build
|
||||
### Build
|
||||
|
||||
```
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
#### Tests
|
||||
### Tests
|
||||
|
||||
```
|
||||
```bash
|
||||
make test
|
||||
```
|
||||
|
||||
#### Release Build
|
||||
### Release Build
|
||||
|
||||
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
|
||||
|
||||
```
|
||||
```bash
|
||||
git tag 1.0.0
|
||||
export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
|
||||
make release
|
||||
|
@ -160,7 +175,7 @@ make release
|
|||
|
||||
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
|
||||
|
||||
```
|
||||
```bash
|
||||
./dist/darwin_amd64/gosec -h
|
||||
gosec - Golang security checker
|
||||
|
||||
|
@ -174,35 +189,34 @@ BUILD DATE: 2018-04-27T12:41:38Z
|
|||
|
||||
Note that all released archives are also uploaded to GitHub.
|
||||
|
||||
#### Docker image
|
||||
### Docker image
|
||||
|
||||
You can build the docker image as follows:
|
||||
|
||||
```
|
||||
```bash
|
||||
make image
|
||||
```
|
||||
|
||||
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
|
||||
`GOPATH` of the container:
|
||||
|
||||
```
|
||||
```bash
|
||||
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
|
||||
```
|
||||
|
||||
#### Generate TLS rule
|
||||
### Generate TLS rule
|
||||
|
||||
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
|
||||
|
||||
|
||||
First you need to install the generator tool:
|
||||
|
||||
```
|
||||
```bash
|
||||
go get github.com/securego/gosec/cmd/tlsconfig/...
|
||||
```
|
||||
|
||||
You can invoke now the `go generate` in the root of the project:
|
||||
|
||||
```
|
||||
```bash
|
||||
go generate ./...
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue